Basic PGP encryption/decryption and keys management

been asked to use pgp to encrypt files before upload them unto remote SFTP server.
So I worte this as a quick reference and notes.
here are some basic pgp commands to get you start to encrypt your files, emails and disk drive.

You can go GPG4Win and download GPG program

1. generate keys

gpg –gen-key

as you can see from the following content, I generate a key “pgptester”
the program will also ask you to provide passphrase password key

C:\Users\chako>gpg --gen-key
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: pgptester
Email address: pgptester@gmail.com
Comment:
You selected this USER-ID:
    "pgptester <pgptester@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 5AE84DCA marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: public key of ultimately trusted key 0B40244A not found
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
pub   2048R/5AE84DCA 2017-11-21
      Key fingerprint = 18C3 8B89 E9B8 7E08 F588  38A1 D86D C5CD 5AE8 4DCA
uid       [ultimate] pgptester <pgptester@gmail.com>
sub   2048R/B0EC6DC0 2017-11-21


C:\Users\chako>

2. List keys

gpg –list-keys

our new keys are list in the table “pgptester”
and “5AE84DCA” is our new public key. We can use the public key to encrypt files and
use private key to decrypt files.

C:\Users\chako>gpg --list-keys
C:/Users/chako/AppData/Roaming/gnupg/pubring.gpg
------------------------------------------------
pub   2048R/27D8D2AE 2017-11-15
uid       [ultimate] xttest <xttest@gmail.com>
sub   2048R/D5CD2620 2017-11-15

pub   2048R/6EC98110 2017-11-15
uid       [ unknown] pgptest@gmail.com

pub   2048R/5AE84DCA 2017-11-21
uid       [ultimate] pgptester <pgptester@gmail.com>
sub   2048R/B0EC6DC0 2017-11-21


C:\Users\chako>

3. encrypt files

# the long version
gpg –encrypt –recipient ‘Your Name’ foo.txt

# using terse options
gpg -e -r Name file.txt

gpg –batch –yes -e -r “public key” –always-trust “file path”

you can see after we encrypt “test_pic.jpg”, the program will create a encrypted file called “test_pic.jpg.gpg”

D:\>dir
 Volume in drive D has no label.
 Volume Serial Number is E0FD-4810

 Directory of D:\

11/19/2017  09:49 PM           108,611 test_pic.jpg
               1 File(s)        108,611 bytes
               0 Dir(s)      90,058,752 bytes free

D:\>gpg --batch --yes -e -r 5AE84DCA --always-trust test_pic.jpg

D:\>dir
 Volume in drive D has no label.
 Volume Serial Number is E0FD-4810

 Directory of D:\

11/19/2017  09:49 PM           108,611 test_pic.jpg
11/20/2017  10:52 PM           108,515 test_pic.jpg.gpg
               2 File(s)        217,126 bytes
               0 Dir(s)      89,948,160 bytes free

D:\>

4. decrypt files

gpg –output decrypted_pic.jpg –decrypt test_pic.jpg.gpg

We have to use private key top decrypt the files and after the decryption we get our test_pic.jpg back. 🙂

D:\>dir
 Volume in drive D has no label.
 Volume Serial Number is E0FD-4810

 Directory of D:\

11/20/2017  10:52 PM           108,515 test_pic.jpg.gpg
               1 File(s)        108,515 bytes
               0 Dir(s)      90,058,752 bytes free

D:\>gpg --output decrypted_pic.jpg --decrypt test_pic.jpg.gpg

You need a passphrase to unlock the secret key for
user: "pgptester <pgptester@gmail.com>"
2048-bit RSA key, ID B0EC6DC0, created 2017-11-21 (main key ID 5AE84DCA)

gpg: encrypted with 2048-bit RSA key, ID B0EC6DC0, created 2017-11-21
      "pgptester <pgptester@gmail.com>"

D:\>dir
 Volume in drive D has no label.
 Volume Serial Number is E0FD-4810

 Directory of D:\

11/20/2017  10:55 PM           108,611 decrypted_pic.jpg
11/20/2017  10:52 PM           108,515 test_pic.jpg.gpg
               2 File(s)        217,126 bytes
               0 Dir(s)      89,948,160 bytes free

D:\>

5. other management

list key

gpg –list-keys

delete key

gpg –delete-key ‘myfriend@his.isp.com’

D:\>gpg --delete-key pgptest@gmail.com
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  2048R/6EC98110 2017-11-15 pgptest@gmail.com

Delete this key from the keyring? (y/N) y

D:\>

import key

gpg –import key.asc

D:\>gpg --import testkey.asc
gpg: key 6EC98110: public key "pgptest@gmail.com" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

D:\>

export keys

gpg –export-secret-keys -a keyid > my_private_key.asc
gpg –export -a keyid > my_public_key.asc

gpg –export -a 5AE84DCA > pub.asc

GnuPG Data Location
C:\Users\{Your User Name}\AppData\Roaming\GnuPG

Setup SFTP server with public key authentication and chroot on Ubuntu

Reason why i setup SFTP server with public key authentication is for lab testing purpose.


Using username "test1".
Authenticating with public key "rsa-key-20171018"
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-37-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

71 packages can be updated.
0 updates are security updates.

Last login: Wed Oct 18 22:00:19 2017 from 192.168.1.68
test1@ubuntu:~$


0. install sshd and vsftpd

sudo apt-get update
sudo apt-get install vsftpd
sudo apt-get install openssh-server

1. create sftp user group

sudo groupadd sftponly

2. create testing user

sudo useradd -g sftponly -d /incoming -s /sbin/nologin test2
passwd test2

3. check user and group just created

grep test2 /etc/passwd
cat /etc/group

4. config sshd

nano /etc/ssh/sshd_config

change/add:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys /var/ftpdir/.ssh/authorized_keys



Match group sftponly
ChrootDirectory /var/ftpdir/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

you also can change to : UsePAM no 

5. create required folders

sudo mkdir /var/ftpdir
sudo mkdir /var/ftpdir/.ssh
sudo mkdir /var/ftpdir/test1/psdir

6 set folder permission and restart ssh server

sudo chown test1:sftponly /var/ftpdir/test1/psdir
sudo service sshd restart

7 create private/public key with putty key-gen and upload public to to the server folder

sudo nano /var/ftpdir/.ssh/authorized_keys
public key key-gen with putty

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20171018"
AAAAB3NzaC1yc2EAAAABJQAAAQEAj3Hx0olZ1a7CD1vcFCHz4jhc80fbr7Buq2+I
07Lox0rYuBJS3uZJj8b7Qo1BxlrWI44zWyZcOCssOtkNIEBD6B5prKGqd4osuh+b
G+Pz2PRhIT1FkJU3SWnbnuASmr06lUSxbBQYMg+lum1AV5Y+5k3bN6nv3kgvfHz3
Y0wZNOuM/a6B9mDX9+miiGeDopzAklPaObSVbdVurfpUSa3/GDVco7ZYiY75B42y
w9cvVLVVDQbHrBJNlihLw6h79VtAsydn93RQFkDhr7piIdWrouOUM/O+vSOIPpaa
AO8mZeEpC40ut0SDRpXIALS8Kt3S31bHRGjFbyblN+7zAofEQw==
---- END SSH2 PUBLIC KEY ----

you have to modify it to be like
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQ......... all in one line

8 connect with putty +key and use psftp to connect to server

PS C:\Users\user\Desktop> .\psftp.exe -load test1@homelab
Using username "test1".
Remote working directory is /
psftp> dir
Listing directory /
drwxr-xr-x    3 0        0            4096 Oct 19 05:30 .
drwxr-xr-x    3 0        0            4096 Oct 19 05:30 ..
drwxr-xr-x    2 1002     1001         4096 Oct 19 05:30 psdir
psftp>
psftp> cd /etc
Directory /etc: no such file or directory

Enable and Disable an Network Adapter using PowerShell

u can type and run ” ncpa.cpl” in powershell
it will open windows network adapter listing and setting

1. WMIC
in powershell (Run as Admin):

wmic nic get name","index


PS C:\Users\chako> wmic nic get name","index
Index  Name
0      Intel(R) Ethernet Connection I217-V
1      Realtek PCIe GBE Family Controller
2      Broadcom 802.11ac Network Adapter
3      Microsoft Kernel Debug Network Adapter
4      Microsoft Wi-Fi Direct Virtual Adapter
5      WAN Miniport (SSTP)
6      WAN Miniport (IKEv2)
7      WAN Miniport (L2TP)
8      WAN Miniport (PPTP)
9      WAN Miniport (PPPOE)
10     WAN Miniport (IP)
11     WAN Miniport (IPv6)
12     WAN Miniport (Network Monitor)
13     Microsoft ISATAP Adapter
14     Microsoft Teredo Tunneling Adapter
15     Bluetooth Device (Personal Area Network)
16     Bluetooth Device (RFCOMM Protocol TDI)
17     Microsoft KM-TEST Loopback Adapter
18     VMware Virtual Ethernet Adapter for VMnet1
19     VMware Virtual Ethernet Adapter for VMnet8
25     VirtualBox Host-Only Ethernet Adapter
26     Microsoft ISATAP Adapter #6


PS C:\Windows\system32> wmic path win32_networkadapter where index=18 call enable
Executing (\\DESKTOP-G0J7PAP\root\cimv2:Win32_NetworkAdapter.DeviceID="18")->enable()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};



2. netsh
in powershell (Run as Admin):



PS C:\Windows\system32> netsh interface show interface

Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Disconnected   Dedicated        Ethernet
Disabled       Disconnected   Dedicated        Npcap Loopback Adapter
Disabled       Disconnected   Dedicated        VirtualBox Host-Only Network
Disabled       Disconnected   Dedicated        VMware Network Adapter VMnet1
Disabled       Disconnected   Dedicated        VMware Network Adapter VMnet8
Enabled        Connected      Dedicated        Wi-Fi
Enabled        Disconnected   Dedicated        Ethernet 2



Disable Ethernet :

netsh interface set interface "Ethernet" disabled



3. Get-NetAdapter
in powershell (Run as Admin):


PS C:\Windows\system32> Get-NetAdapter

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet 2                Realtek PCIe GBE Family Controller           20 Disconnected 70-A0-20-0B-0A-99          0 bps
Wi-Fi                     Broadcom 802.11ac Network Adapter             9 Up           54-CA-6B-A1-A3-23        78 Mbps
VMware Network Adapte...8 VMware Virtual Ethernet Adapter for ...       3 Not Present  00-50-56-C0-00-08          0 bps
VMware Network Adapte...1 VMware Virtual Ethernet Adapter for ...      10 Disabled     00-50-56-C0-00-01       100 Mbps
VirtualBox Host-Only N... VirtualBox Host-Only Ethernet Adapter        23 Not Present  0A-00-27-00-00-1B          0 bps
Npcap Loopback Adapter    Npcap Loopback Adapter                       19 Not Present  A2-00-CC-CC-FF-5A          0 bps
Ethernet                  Intel(R) Ethernet Connection I217-V          16 Disabled     50-D0-AB-CB-FB-99          0 bps



PS C:\Windows\system32> Get-NetAdapter -Name Ethernet | Enable-NetAdapter
PS C:\Windows\system32> Get-NetAdapter -Name Ethernet | Disable-NetAdapter

Confirm
Are you sure you want to perform this action?
Disable-NetAdapter 'Ethernet'
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
PS C:\Windows\system32>


[reference]
https://support.microsoft.com/en-za/help/192806/how-to-run-control-panel-tools-by-typing-a-command